dns localhost problem
Jim Reid
jim at rfc1035.com
Tue Sep 26 15:52:16 UTC 2000
>>>>> "Joseph" == Joseph S D Yao <jsdy at cospo.osis.gov> writes:
>> Is it fairly safe to run dns behind a firewall and just open
>> that port for udp queries?
Joseph> Some think so. I don't. BIND itself is a good proxy for DNS.
It depends on what you mean by "fairly safe" and what your security
policy is. As a general rule DNS through the firewall is probably not
a good idea, but it depends on what sort of security policy is defined
and implemented. There was an article on slashdot recently that
explained how to use the DNS as a means of transporting IP
datagrams. There was even a link to the code for doing this. So it's
now possible to use DNS packets to tunnel IP packets and have a name
server provide a covert channel for unwanted traffic. Most firewalls
are supposed to block unwanted traffic, so the capability to tunnel IP
over DNS is probably unacceptable. That would tend to imply that DNS
through the firewall should be unacceptable too.
More information about the bind-users
mailing list